Say I have normal 15 user groups and 1 admin group. I have a file directory /ReadingMaterial which has 15 text files inside of it. I want the admin group to have read/write permissions to the entire directory (all 15 files). I want the user groups to only be able to read 1 specific file inside the directory. For example, UserGroup1 will only have read access to the file called UserGroup1Material.txt
I can't find the command required tho anywhere with searching, found dozens of pages which go over simply creating or editing groups and files as a whole (owners, groups, users), but none for individual groups on their own.
I'm pretty sure it can be done, but for the life of me cannot find it anywhere with google searches or in the manual
You can change the group ownership of the file with chgrp and change its permission so that only the users of UserGroup1, and its creator, are allowed to have read access to your file :
chgrp UserGroup1 UserGroup1Material.txt
chmod 440 UserGroup1Material.txt
Related
CWE-61 is about soft links. The basic idea is that attackers point a normal file to other system files or unexpected files through soft links to achieve arbitrary write purposes.
But I have a question, if user A tries to point fileA to fileB through a soft link and exploits this vulnerability to modify fileB; Isn't A required to have the read and write permissions on fileB? (or user A can run the program as root)
If user A already has this permission, why does user A need to use CWE-61 to modify fileB?
What is a good way to prevent people from submitting changes to a file? I was thinking of two methods
p4 trigger with a python snippet that holds a dictionary with protected paths and warn the user that changes are not accepted any more for that file.
use a bot account to check-out the file and never check-in (sounds like a bad idea)
I was searching for "permanently lock file" however that is just to keep exclusive locks when a file is only to be authored by one user at a time.
Remove write access in the protection table. I.e. run p4 protect and then set up permissions for the path like:
write user * * -//depot/whatever/path/...
If you want users to be able to sync and/or open the file but not submit it, add another line afterward that grants read or open permission specifically. For example, to allow users to sync that path but not edit or submit you'd do:
write user * * -//depot/whatever/path/...
read user * * //depot/whatever/path/...
In Samba share directory and file will be create by username and group name that's why I have to use sticky permission:
Chmod 1770 /testfolder
In this permission user can create file and folder.
Anyone can help me how can i restricted to delete file and folder.
how can I restrict users to delete file and folder.
Or, in other words, is there a permission such that a user can add files to a directory, but not delete them?
NO. The write permission given to a directory lets the user modify that directory, which means create new entries, but also means delete entries. Both operations, in fact, modify the directory, i.e. the list of files contained there. It would be very handy to discriminate between adding a file and deleting it - but things are not so.
But, depending on OS and file system, may be you can set a special attribute on a directory:
chattr -d +a nodelete/
will give the special attribute "append only" to the specified directory. "Append only" means you can create but not delete or overwrite. That will achieve, presumably, exactly what you want; see documentation for chattr, it could be your friend.
On ubuntu I have the following:
A folder: `shares`, pemissions 755, owner root:somegroup.
Users and groups:
user1 user2 (groupx)
user3 user4 (groupy)
user5 (groupz)
I need to give the users in groupx and groupy the permission to create their own data inside share folder, but every single user can ONLY delete what he created, nothing more.
groupz users can only read content of share without writing.
If that helps, may I get the answer in case of ignoring the groups (just taking care of that each single user can create, and ONLY delete his own created files)?
Can anyone help me how can I get that be giving the right permissions and owners? because nothing help came to my mind.
According to this topic this is not possible.
To create/remove files in some dir you need to have a wx permissions to its parent dir. The user can even delete a file that he is not able to read.
The only option I see is to create the subdirectories for each user, where only this user has write permission. (chmod 750)
//Edit:
It's possible!
I was not aware of the sticky bit:
chmod 1770 on parent dir.
This adds a requirement that only dir owner or file owner can delete a file inside.
I am looking for the some document/presentation which will give me an idea about different File and Directory attributes available on Windows, Mac and Linux file system. Also wanted to know Common attributes present across all three Operating systems. I want to cross verify my work.
Thanks,
Omky
First, you want to check the File system rather the OS, is mostly a File system feature, not OS, the Operative System can "support" or not all FS features.
On Linux and OSX, there is a UNIX standard, you have the common owner/group/other where a File contains a user owner (just a user) and a group owner (a group contains a list of users).
With that knowledge, you can set permissions like read/write/executable permissions for the owner of file, the group of file and a "non user non member of the group".
Example:
I have a file called hello.out and I want to restrict a "modification" for EVERY user, but my user only can execute it and every user can read it. I will set permission 544. the first value, 5 will provide read and execute to owner, the second value, 4 will provide only read to group, and the third value, another 4, will provide only read to any other user.
You have extended permissions on some UNIX file systems, on EXT2/3/4 and others, you can set permissions for a specific user (File system extended attributes). Also, you have some "flags" with special features, like provide a root execution with the SUID flag or force exclusivity of files on a directory to owner with the sticky flag.
More info about UNIX permissions here: http://en.wikipedia.org/wiki/File_system_permissions
On Windows instead, is hard to say, first, you have FAT16/32, there is no permissions with this File system. Using FAT16/32 on Linux can "emulate" a UNIX permission, but is global for all files and will not be stored on File system.
For File systems like NTFS, is pretty similar to UNIX, but you have a longer list of control for actions on the file or folder, but basically you have read/write/read and execute/list files/modify/full permission.
For more info, you can find every basic and special attributes here: http://technet.microsoft.com/en-us/library/bb727008.aspx